exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

camshot.overflow.txt

camshot.overflow.txt
Posted Dec 31, 1999
Authored by Underground Security Systems Research

CamShot is a Windows 95/98/NT web server that serves up web pages containing time stamped images captured from a video camera. The images can be viewed from anywhere on the network with a web browser. UssrLabs found a Local / Remote Buffer overflow, The code that handles GET commands has an unchecked buffer that will allow arbitrary code to be executed if it is overflowed.

tags | exploit, remote, web, overflow, arbitrary, local
systems | windows
SHA-256 | f179a5f67d4a3699e41fea3f876e418d1c1298f43b98efb499e0052e8832b256

camshot.overflow.txt

Change Mirror Download
---------- Forwarded message ----------
From: "Ussr Labs" <labs@ussrback.com>
To: "TECHNOTRONIC" <news@technotronic.com>
Subject: Local / Remote GET Buffer Overflow Vulnerability in CamShot WebC=
am HTTP Server v2.5 for Win9x/NT
Date: Thu, 30 Dec 1999 14:04:14 -0300
Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP
Server v2.5 for Win9x/NT

USSR Advisory Code: USSR-99028

Release Date:
December 30, 1999 [4/5]

Systems Affected:
CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions.

About The Software:
CamShot is a Windows 95/98/NT web server that serves up web pages contain=
ing
time
stamped images captured from a video camera. The images can be viewed fro=
m
anywhere
on the network with a web browser. CamShot works with =91Video For Window=
s
compatible
video equipment. Finally a cheap and simple way to do remote surveillance=
is
here!.

THE PROBLEM

UssrLabs found a Local / Remote Buffer overflow, The code that handles GE=
T
commands
has an unchecked buffer that will allow arbitrary code to be executed if =
it
is overflowed.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contributio=
n
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>

Where [buffer] is aprox. 2000 characters. At his point the server overflo=
ws.

And in remote machine someone will be see something like this.

CAMSHOT caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=3D0069fa74 CS=3D017f EIP=3D61616161 EFLGS=3D00010246
EBX=3D0069fa74 SS=3D0187 ESP=3D005a0038 EBP=3D005a0058
ECX=3D005a00dc DS=3D0187 ESI=3D816238f4 FS=3D33ff
EDX=3Dbff76855 ES=3D0187 EDI=3D005a0104 GS=3D0000
Bytes at CS:EIP:

Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

Binary or source for this Exploit (wen we finish it):

http://www.ussrback.com/

Vendor Status:
Informed.

Vendor Url: http://www.broadgun.com/arcit/index.html
Program Url: http://broadgun.com/Camshot.htm

Credit: USSRLABS

SOLUTION
Noting yet.

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic an=
d
Wiretrip.

u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
http://www.ussrback.com



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close